Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to combine 2 separate queries and list there data in tabular format.

Aps17
Explorer
‎10-01-2020 07:03 AM

e.g

QUERY 1: host=jtcstcxbsswb* source="/usr/IBM/HTTPServer/logs/access*" httpmethod="GET" statuscode="200" loaninfo="/api*" OR Requestinfo="*/" OR sitename="*/LoginAccountUserName"

|eval APFields=split(loaninfo,"/")

|eval APNumOfFields=mvcount(APFields)

|eval AP2ndFromLast=mvindex(APFields,APNumOfFields-2)

|eval APLoanNumber=mvindex(APFields,6)

|eval APLast=mvindex(APFields,-1)

|search APLast="loans" OR APLast="summary" OR APLast="payments"

|timechart count(APLast), Avg(cookie) as URT  by APLast

 

Query 2 :sourcetype=apigee:digit* host=JTCLSGLAPGERT* APIProduct=*-Authenticated-Product
|timechart span=5m distinct_count(LoginAccountUserName)

i want something like this

 

host=jtcstcxbsswb* source="/usr/IBM/HTTPServer/logs/access*" httpmethod="GET" statuscode="200" loaninfo="/api*" 

|eval APFields=split(loaninfo,"/")

|eval APNumOfFields=mvcount(APFields)

|eval AP2ndFromLast=mvindex(APFields,APNumOfFields-2)

|eval APLoanNumber=mvindex(APFields,6)

|eval APLast=mvindex(APFields,-1)

|search APLast="loans" OR APLast="summary" OR APLast="payments"

|stats count(APLast), Avg(cookie) as URT  by APLast

|append [search sourcetype=apigee:digit* host=JTCLSGLAPGERT* APIProduct=*-Authenticated-Product
|timechart span=5m distinct_count(LoginAccountUserName) ]
 |bin _time|stats count(APLast), Avg(cookie) as URT ,distinct_count(LoginAccountUserName) by APLast


I am able to get the data  as 
Time  | count(APLAST) | URT | LoginAccountUserName (I see only zero values in LoginAccountUserName)


how to fetch the LoginAccountUserName data from 2nd query and list it here.

Labels (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-01-2020 07:54 AM

Looking at the last bits of the merged query

|stats count(APLast), Avg(cookie) as URT  by APLast
|append [search sourcetype=apigee:digit* host=JTCLSGLAPGERT* APIProduct=*-Authenticated-Product
  |timechart span=5m distinct_count(LoginAccountUserName) ]
|bin _time
|stats count(APLast), Avg(cookie) as URT ,distinct_count(LoginAccountUserName) by APLast

we see that before the append we have results containing fields APLast, count(APLast), and URT.

The append command produces additional results with fields _time, and distinct_count(LoginAccountUserName).

The final stats command then attempts to blend the two sets of results by the APLast field. but cannot do so because append did not return a field by that name.

The bin_time command is wasted since the final stats command does not use _time.

I hope that explains why you're not getting the expected results.  I can't offer a solution to the problem because I don't know your data well enough to determine how to relate LoginAccountUserName to anything else.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...